Rockwell Automation FactoryTalk Historian ThingWorx

Act NowCVSS 9.8ICS-CERT ICSA-25-142-02May 14, 2025

Rockwell AutomationPTC

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An XML External Entity (XXE) injection vulnerability in Apache affects Rockwell Automation FactoryTalk Historian ThingWorx applications that accept log4net configuration files. Successful exploitation allows an attacker to execute XXE-based attacks on these systems.

What this means

What could happen

An attacker could inject malicious XML into log4net configuration files to read sensitive files from the historian server, potentially exposing process data, credentials, or operational information critical to your facility's operations.

Who's at risk

Water utilities, electric utilities, and other industrial facilities using Rockwell Automation FactoryTalk Historian ThingWorx for process monitoring and data logging should evaluate their deployment. This affects both the historian server component (affected product 95057C-FTHTWXCT11 v4.02.00 and earlier) and any external systems using Apache's XML parsing libraries for configuration.

How it could be exploited

An attacker with network access to the FactoryTalk Historian application could upload or inject a specially crafted log4net XML configuration file. The application would parse the malicious XML, triggering an XXE attack that allows the attacker to read arbitrary files from the historian server or interact with internal systems.

Prerequisites

- Network access to the FactoryTalk Historian application - Ability to submit or influence a log4net configuration file (via upload, API, or configuration interface) - Application must parse untrusted XML configuration input

- Remotely exploitable - No authentication required (if config file submission is open) - Low complexity attack - High EPSS score (49%) - Affects critical historian/data logging systems - XXE vulnerability can expose sensitive operational data

Exploitability

Likely to be exploited — EPSS score 72.1%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (2)

1 with fix1 pending

ProductAffected VersionsFix Status

Apache Vulnerability inAll versionsNo fix yet

95057C-FTHTWXCT11: <=v4.02.00≤ v4.02.00v5.00.00

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to the FactoryTalk Historian application to only trusted workstations and engineering systems; implement firewall rules to deny external access

HARDENINGDisable or restrict the ability to upload or modify log4net configuration files unless absolutely required; implement access controls on any configuration management interfaces

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Historian product 95057C-FTHTWXCT11 to version 5.00.00 or later

Long-term hardening

0/2

HARDENINGMonitor and log all configuration file uploads and modifications to the historian system for suspicious activity

HARDENINGIsolate the FactoryTalk Historian network segment from the business network using a firewall or network segmentation device

CVEs (1)

CVE-2018-1285

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3d07556d-6561-4a50-9d4e-f7d36491454a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.